[PATCH] Encode value and field before calculating cookie digest, the same way secure_value() does
thevlad at gmail.com
thevlad at gmail.com
Thu Apr 12 19:54:31 CEST 2018
From: Vlad Safronov <thevlad at gmail.com>
Bugfix: Encode value and field before calculating cookie digest, the same way as secure_value() does
so validating will work correctly on encoded values.
---
filters/simple-authentication.lua | 2 ++
1 file changed, 2 insertions(+)
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index de34d09..b40a819 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -230,6 +230,8 @@ function validate_value(expected_field, cookie)
return nil
end
+ value = url_encode(value)
+ field = url_encode(field)
-- Lua hashes strings, so these comparisons are time invariant.
if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
return nil
--
2.17.0
More information about the CGit
mailing list